Remote Access Enabling Technologies

1
Remote Access Enabling Technologies

• If you can avoid it, dont do it
• Presentation to GOVIS
• John Hanson
• 22 July 2004

2
Remote Access Definition

• All remote working outside of your internal
  networks
• Includes
• Work on devices off-line
• Work at Home
• Work from Foreign devices (Internet Cafes)
• Work outside of NZ
• Not just PCs, laptops but PDAs, cellphones

3
Comment on Security

• As a general comment security relies on system
  safeguards, policies, awareness and the external
  environment.
• With Remote Access you have no control over the
  external environment and often the policies and
  awareness are not there.

4
Understand The Drivers

• MBMA
• Technolust
• General mobility
• Cheaper access options (Smaller offices)
• Pressure to work at Home
• Pressure to access info away from office
• Greater productivity

5
However Understand that .

• CEs and others dont understand your problems
• Remote access is a business issue
• RAS is ONLY an enabler
• Infrastructure will always be used for other
  things than intended
• External environment is hostile
• Remote equipment open to other people
• There are significant risks, costs

6
Risks

• Committing to greater level of funding (minor)
• Remote equipment loss (minor)
• Network compromised (major for IT)
• Loss of Information (or compromised) ie by
  Shoulder surfing, screen scraping or capture
  (MAJOR)
• All leading to bad PR, non performance,
  increased costs, loss of credibility, broken
  relationships, knocking on door of minister

7
Policies

• AS/NZS/ISO 17799
• General security
• Access Policy (Apps, Network)
• Security Policy
• Police checks / security clearances
• Remote Access (Working) policy
• Who, How, Conditions, Ownership
• Potential backdoors, anti virus, software,
  templates
• Internet and E-mail policy(s)
• Personal use issues

8
Policies (Cont)

• IM Policy
• Accounting Policy
• Ownership of equipment, who can approve
• Payment for lines charges, use etc
• Be aware of FBT

9
IM Issues

• BIGGEST issue by far
• Only documents rated Sensitive and below use
  encryption and harden equipment (firewall,SSL)
• No oversight by other staff
• Staff must be aware of obligations
• Document management, versions, copies
• Document Security Classification handling
• Archives Act requirements
• Droppings left behind cache, temporary files

10
Legal Issues

• Are staff still covered while at home or away by
  SOPs?
• International boundaries
• OSH How to measure damage where home office not
  up to scratch. Org is liable
• Licencing WAH licences, secondary use
• Archives Act requirements
• Sending deflamatory material by mistake
• Passing on viruses to third parties who has
  obligations?

11
How to Sleep at Night

• Ensure business understands Remote Working is a
  business issue
• Each person to get approved
• Educate ET of risks
• Awareness programme for staff mngrs
• Have policies in place
• Ensure IM issues are sorted

12
IT Things to Manage

• Ensure RAS implementation is top quality and
  managed
• Ensure Change Control is implemented
• Get User Registration process sorted
• Ensure Technical staff play the game
• Pay for external QA and testing
• Have appropriate funding to support RAS
• Publish Service Levels, manage expectations
• Look at encyption on laptops, flash drives,
  removable media

13
Role of EGU (GCSB) ?

• Caveat Unsure whether some of this is already
  being done
• To facilitate a Remote Access Lego block
• To facilitate and make educational material
  available
• To facilitate and make good practice policy
  available
• To organise a briefing for Departmental heads of
  the risks of particular architectures,
  particularly Remote Access

14
Questions ?

• Thank You